Ransomware attacks appeared to decline as pandemic arrived

The number of incidents dropped as government offices closed and schools emptied out, but are starting to creep back up again, cybersecurity analysts said.
(Getty Images)

The number of ransomware attacks against state and local governments and public education systems appeared to fall in the first half of 2020 compared to last year, with the bulk of the decline coinciding with the emergence of the COVID-19 pandemic, cybersecurity researchers said.

But as more public-sector employees have gone back to work, and with a new school year approaching, the rate of attacks has started to tick back up. One analyst said it’s possible that the observed drop-off in attacks was the result of cybersecurity issues being overshadowed by the health crisis.

The cybersecurity firm Recorded Future counted 51 ransomware attacks against state and local governments between January and June of this year, compared to 111 over the same period in 2019. And 39 of those incidents occurred in January and February, and nearly one-third of them targeted K-12 school systems, which emerged last year as one of the juiciest targets for ransomware actors.


But Recorded Future analyst Allan Liska said the attacks mostly stopped around mid-March, as schools closed across the country and government offices emptied out and went remote. In an interview with StateScoop, Liska theorized that the decline in incidents might be attributable to schools moving the bulk of their operations to virtual platforms like Zoom and Google Classroom, and shrinking public-sector payrolls — about 1.5 million state and local government and education-sector workers have been furloughed or laid off since March, according to the Pew Charitable Trusts — giving hackers fewer opportunities to deploy their ransomware.

“So many of the state and local governments were shut down, there were fewer opportunities,” he said. “You don’t have as many people to phish who can get you into the middle of the network. If you’ve got a smaller attack surface, you’ve got fewer opportunities to get in.”

State chief information security officers, meanwhile, worried at the start of the pandemic that sending millions of public-sector employees to work from home would potentially expose sensitive government networks to the risks of home Wi-Fi setups and personal devices that don’t usually connect to those systems.

“We’re now adding hundreds of unknown networks,” Colorado CISO Deborah Blyth said last month during a virtual conference.



And there have been several ransomware incidents reported since the beginning of the pandemic, with victims including the cities of Florence, Alabama, and Knoxville, Tennessee, as well as statewide agencies like the Texas Department of Transportation. Major research universities, like Michigan State University and the University of California, San Francisco, have also been hit, with the latter paying hackers a $1.14 million bounty to not publish stolen data.

The cybersecurity research firm Emsisoft, which said Wednesday it’s counted 59 ransomware attacks against state and local agencies, also observed a dip as COVID-19 spread across the United States, though the effect dampened as states started relaxing their restrictions and reopening government offices.

“We are, however, seeing a reversal in that trend with the number of incidents now starting to increase,” read a post on Emsisoft’s blog. “This may be due to the lifting of restrictions and employees returning to the workplace or simply a normal season spike.”

Recorded Future’s Liska, though, had another theory as to why the number of reported ransomware incidents might have briefly declined: consumed by the health crisis, some government agencies might not have the bandwidth to address cyberattacks.

“The ransomware against state and local government was so overwhelmed by the pandemic,” he said. “We may find out six months or a year from now, when it gets entered into a city council meeting.”


Still, even if the number of attacks did go down earlier this year, states and cities should’t rest, Liska warned.

“The one thing about these ransomware actors is they’re very dynamic,” he said. “They have the ability to pivot from one kind of target to another kind of target. They will figure out what the new normal is because state and local government is too important of a target to give it up completely.”

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts